From 2cbc694687190cadb155c5582f93a8cf91ebdc4c Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 26 Aug 2021 15:04:46 +0200
Subject: [PATCH] Bug 1942281 - Set postfix rules to notapplicable when package
is not installed
---
.../rule.yml | 2 ++
.../rule.yml | 2 ++
.../services/mail/postfix_harden_os/group.yml | 2 ++
.../rule.yml | 3 ++-
products/rhel8/profiles/stig.profile | 4 +---
products/rhel9/profiles/stig.profile | 4 +---
shared/applicability/general.yml | 5 +++++
.../installed_env_has_postfix_package.xml | 20 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 1 -
.../data/profile_stability/rhel8/stig.profile | 3 ++-
.../profile_stability/rhel8/stig_gui.profile | 3 ++-
11 files changed, 39 insertions(+), 10 deletions(-)
create mode 100644 shared/checks/oval/installed_env_has_postfix_package.xml
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
index 0faafeb0c2f..4b440e79845 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
@@ -21,3 +21,5 @@ ocil: |-
Run the following command to ensure postfix routes mail to this system:
<pre>$ grep relayhost /etc/postfix/main.cf</pre>
If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.
+
+platform: postfix
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
index 096020ef687..579db484976 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
@@ -42,3 +42,5 @@ ocil: |-
Run the following command to ensure postfix accepts mail messages from only the local system:
<pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.
+
+platform: postfix
diff --git a/linux_os/guide/services/mail/postfix_harden_os/group.yml b/linux_os/guide/services/mail/postfix_harden_os/group.yml
index 19b662508bd..8a415425e7d 100644
--- a/linux_os/guide/services/mail/postfix_harden_os/group.yml
+++ b/linux_os/guide/services/mail/postfix_harden_os/group.yml
@@ -6,3 +6,5 @@ description: |-
The guidance in this section is appropriate for any host which is
operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
or some other software.
+
+platform: postfix
diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
index 9b4c7656a85..75e4133b119 100644
--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
+++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,wrlinux1019
title: 'Prevent Unrestricted Mail Relaying'
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80512-7
cce@rhel8: CCE-84054-6
+ cce@rhel9: CCE-87232-5
references:
disa: CCI-000366
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index d31b251645b..5e9a2216fcd 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1160,9 +1160,7 @@ selections:
- sysctl_net_core_bpf_jit_harden
# RHEL-08-040290
- # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
- # there needs to be a new platform check to identify when postfix is installed or not
- # - postfix_prevent_unrestricted_relay
+ - postfix_prevent_unrestricted_relay
# RHEL-08-040300
- aide_verify_ext_attributes
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
index a40d848ee67..8d60468528d 100644
--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
@@ -1030,9 +1030,7 @@ selections:
- sysctl_net_ipv4_conf_all_rp_filter
# RHEL-08-040290
- # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
- # there needs to be a new platform check to identify when postfix is installed or not
- # - postfix_prevent_unrestricted_relay
+ - postfix_prevent_unrestricted_relay
# RHEL-08-040300
- aide_verify_ext_attributes
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 6e3ecfd9bf9..4163a07cbad 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -44,6 +44,11 @@ cpes:
title: "Package pam is installed"
check_id: installed_env_has_pam_package
+ - postfix:
+ name: "cpe:/a:postfix"
+ title: "Package postfix is installed"
+ check_id: installed_env_has_postfix_package
+
- sssd:
name: "cpe:/a:sssd"
title: "Package sssd-common is installed"
diff --git a/shared/checks/oval/installed_env_has_postfix_package.xml b/shared/checks/oval/installed_env_has_postfix_package.xml
new file mode 100644
index 00000000000..95ad355147b
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_postfix_package.xml
@@ -0,0 +1,20 @@
+<def-group>
+
+ <definition class="inventory"
+ id="installed_env_has_postfix_package" version="1">
+ <metadata>
+ <title>Package postfix is installed</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Checks if package postfix is installed.</description>
+ <reference ref_id="cpe:/a:postfix" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package postfix is installed" test_ref="test_env_has_postfix_installed" />
+ </criteria>
+ </definition>
+
+ {{{ oval_test_package_installed(package='postfix', evr='', test_id='test_env_has_postfix_installed') }}}
+
+</def-group>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ee4c156b79c..29fe687600c 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1314,7 +1314,6 @@ CCE-87228-3
CCE-87229-1
CCE-87230-9
CCE-87231-7
-CCE-87232-5
CCE-87233-3
CCE-87234-1
CCE-87235-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index ba596f86f83..ca0097b844b 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -64,8 +64,8 @@ selections:
- accounts_user_home_paths_only
- accounts_user_interactive_home_directory_defined
- accounts_user_interactive_home_directory_exists
-- aide_check_audit_tools
- agent_mfetpd_running
+- aide_check_audit_tools
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
@@ -304,6 +304,7 @@ selections:
- partition_for_var_log_audit
- partition_for_var_tmp
- postfix_client_configure_mail_alias
+- postfix_prevent_unrestricted_relay
- require_emergency_target_auth
- require_singleuser_auth
- root_permissions_syslibrary_files
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 9db93027011..3533208c4a5 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -75,8 +75,8 @@ selections:
- accounts_user_home_paths_only
- accounts_user_interactive_home_directory_defined
- accounts_user_interactive_home_directory_exists
-- aide_check_audit_tools
- agent_mfetpd_running
+- aide_check_audit_tools
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
@@ -315,6 +315,7 @@ selections:
- partition_for_var_log_audit
- partition_for_var_tmp
- postfix_client_configure_mail_alias
+- postfix_prevent_unrestricted_relay
- require_emergency_target_auth
- require_singleuser_auth
- root_permissions_syslibrary_files